For a failed login, the browser actually makes two HTTP requests, so $ENV{'HTTP_REFERER'} is actually correct.

You should not use $ENV{'HTTP_REFERER'} for anything serious, as it can be unavailable (if HTTPS is used as protocol) or misleading.

I recommend saving the next page to use when displaying the login screen as an additional parameter of the URL. Also, make sure that you will only ever be redirecting to an URL on the same host instead of URLs outside.

Most likely, /search.pl will want to redirect the user to /login.pl?return_to=/search.pl and redirect the user from the login page to /search.pl.